I’ve been going through updating all of my accounts (passwords, 2FA, etc.), and I’ve noticed that there are a lot of sites that don’t offer any form of MFA.

I can understand smaller services that might not have the bandwidth, but surely larger organisations are able to get this setup?

  • RegalPotoo@lemmy.worldEnglish
    11·
    1 year ago
    • it takes engineering time which is not a trivial cost - accounts and identity for large orgs tend to be a lot more complex than you might think - there will likely be a few different identity stores, and multiple systems that query those stores; making sure every possible permutation works correctly can be a bit undertaking
    • It adds additional load to their support teams which is very expensive

    The support one is a real killer for a lot of places; I’ve worked with a place that had a few million paying customers, and ~half of those were in a tier where a single 30 minute support call would completely negate any revenue that that customer would bring in for the year. Email support was slightly less expensive, but would still be a significant proportion of your annual profit